PAM&mdash;Securing Linux Boxes Everywhere

There might be security in numbers (as the poor British Museum guard
thought when he
tried to deter Raffles from stealing the cup), but for Linux,
PAM is the way to go. Without even resorting to rolling out your own
modules, you can add plenty of flexibility to your security by
setting up a few configuration files and rest assured that those
rules will be obeyed globally.

Modules, Modules Everywhere

Your system's security depends on the modules you use. Modules
are stored in /lib/security or /lib64/security (for 64-bit systems),
but some distributions do not follow this standard. For example,
you might find the modules in /usr/lib/security. You can write your own
modules if you want (see Resources), but for starters, you probably will be
able to manage with the standard ones. The following is a list
of the more common modules. For more information, use the
man command. Also note that there is no standard list of modules,
and each distribution may include more modules or variations on
the modules below.

pam_access: allows or refuses access, based on IPs, login names, host
or domain names and so forth. By default, access rules are specified in
/etc/security/access.conf. Whenever a user logs in, the access rules
are scanned in order for the first match, and permission is granted or
denied accordingly. See also pam_time for further restrictions.

pam_cracklib and pam_pwcheck:
provide password strength-checking
and disallow repeated, too simple and easily guessed
possibilities. Users are prompted for a password, and if it passes the
predefined rules and is considered strong, users are prompted again
as a check.

pam_deny: simply denies access. It can be used to block users as a
default rule. See also pam_permit.

pam_echo: displays a (configurable) text message to the user. See also
pam_motd.

pam_env: allows setting or unsetting environment variables.
The default rules are taken from /etc/security/pam_env.conf.

pam_exec: calls an external command.

pam_lastlog: displays the date and time of the last login.

pam_limits: sets limits on the system resources that a user might
require. The default limits are taken from /etc/security/limits.conf.

pam_listfile: allows or denies services based on a
file. For example,
you could limit FTP access to users in the file /etc/ftpusers_ok by
including the line auth required pam_listfile.so item=user sense=allow
file=/etc/ftpusers_ok onerr=fail in the /etc/pam.d/ftpd file. See also
pam_nologin.

pam_mail: informs users whether they have
mail.

pam_mkhomedir: creates a user home
directory, if it doesn't exist on the
local machine. This allows you to use central authentication (NIS or LDAP,
for example) and create user directories only when needed.

pam_motd: displays the “message of
the day” file to users.
See also pam_echo.

pam_nologin: disallows logins when /etc/nologin exists.

pam_permit: allows entry without
checks—quite unsafe!
See also pam_deny.

pam_rootok: allows access for the root user
without further checks. This typically is used in /etc/pam.d/su to let root
act as another user without entering a password. The file should contain
the following lines (regarding the second line, see pam_wheel):

pam_succeed_if: tests for account characteristics, such as belonging
to a certain group, having a certain UID and so on.

pam_time: restricts access to services depending on the day of
the week and time of the day. The default rules are taken from
/etc/security/time.conf. Note, however, that only the login time is
enforced. There's no way to force the user to log out afterward.

pam_umask: sets the file mode creation
mask.

pam_unix or pam_unix2: classic UNIX-style authentication, based on
the /etc/passwd and /etc/shadow files. See also pam_userdb.

pam_userdb: authenticates against a database. See also pam_unix.

pam_warn: logs the service, terminal, user and more data to the system
log. The module can be used anywhere, because it won't affect the
authentication process.

pam_wheel: allows root access only to members of group wheel.
This frequently is used for su, so only selected
users can use
it. See the pam_rootok entry for an example.

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.